From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, herbert@gondor.apana.org.au
Subject: Re: [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings
Date: Fri, 04 Nov 2011 07:29:46 -0400 [thread overview]
Message-ID: <1320406187.2010.11.camel@falcor> (raw)
In-Reply-To: <f094bd1603dcf682b8ab5fb41af7c5635cb04d23.1319025009.git.dmitry.kasatkin@intel.com>
On Wed, 2011-10-19 at 14:51 +0300, Dmitry Kasatkin wrote:
> Define separate keyrings for each of the different use cases - evm, ima,
> and modules. Using different keyrings improves search performance, and also
> allows "locking" specific keyring to prevent adding new keys.
> This is useful for evm and module keyrings, when keys are usually only
> added from initramfs.
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Thanks Dmitry! Other than the couple of trailing whitespaces, the
patches look good. I think adding the word 'public', above, to 'adding
new keys' clarifies that the keyrings are only used for the digital
signatures.
Acked-by: Mimi Zohar <zohar@us.ibm.com>
> ---
> security/integrity/Kconfig | 14 +++++++++++
> security/integrity/Makefile | 1 +
> security/integrity/digsig.c | 48 ++++++++++++++++++++++++++++++++++++++++
> security/integrity/integrity.h | 20 ++++++++++++++++
> 4 files changed, 83 insertions(+), 0 deletions(-)
> create mode 100644 security/integrity/digsig.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 4bf00ac..d87fa2a 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -3,5 +3,19 @@ config INTEGRITY
> def_bool y
> depends on IMA || EVM
>
> +config INTEGRITY_DIGSIG
> + boolean "Digital signature verification using multiple keyrings"
> + depends on INTEGRITY
> + default n
> + select DIGSIG
> + help
> + This option enables digital signature verification support
> + using multiple keyrings. It defines separate keyrings for each
> + of the different use cases - evm, ima, and modules.
> + Different keyrings improves search performance, but also allow
> + to "lock" certain keyring to prevent adding new keys.
> + This is useful for evm and module keyrings, when keys are
> + usually only added from initramfs.
> +
> source security/integrity/ima/Kconfig
> source security/integrity/evm/Kconfig
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 0ae44ae..bece056 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -3,6 +3,7 @@
> #
>
> obj-$(CONFIG_INTEGRITY) += integrity.o
> +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
>
> integrity-y := iint.o
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> new file mode 100644
> index 0000000..b5d1e01
> --- /dev/null
> +++ b/security/integrity/digsig.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2011 Intel Corporation
> + *
> + * Author:
> + * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, version 2 of the License.
> + *
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/err.h>
> +#include <linux/rbtree.h>
> +#include <linux/key-type.h>
> +#include <linux/digsig.h>
> +
> +#include "integrity.h"
> +
> +static struct key *keyring[INTEGRITY_KEYRING_MAX];
> +
> +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> + "_evm",
> + "_module",
> + "_ima",
> +};
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return -EINVAL;
> +
> + if (!keyring[id]) {
> + keyring[id] =
> + request_key(&key_type_keyring, keyring_name[id], NULL);
> + if (IS_ERR(keyring[id])) {
> + pr_err("no %s keyring: %ld\n", keyring_name[id],
> + PTR_ERR(keyring[id]));
> + keyring[id] = NULL;
> + return PTR_ERR(keyring[id]);
> + }
> + }
> +
> + return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e898094..9fc723b 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -51,5 +51,25 @@ struct integrity_iint_cache {
> struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
> struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>
> +#define INTEGRITY_KEYRING_EVM 0
> +#define INTEGRITY_KEYRING_MODULE 1
> +#define INTEGRITY_KEYRING_IMA 2
> +#define INTEGRITY_KEYRING_MAX 3
> +
> +#ifdef CONFIG_INTEGRITY_DIGSIG
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen);
> +
> +#else
> +
> +static inline int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +#endif /* CONFIG_INTEGRITY_DIGSIG */
> +
> /* set during initialization */
> extern int iint_initialized;
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, herbert@gondor.hengli.com.au
Subject: Re: [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings
Date: Fri, 04 Nov 2011 07:29:46 -0400 [thread overview]
Message-ID: <1320406187.2010.11.camel@falcor> (raw)
In-Reply-To: <f094bd1603dcf682b8ab5fb41af7c5635cb04d23.1319025009.git.dmitry.kasatkin@intel.com>
On Wed, 2011-10-19 at 14:51 +0300, Dmitry Kasatkin wrote:
> Define separate keyrings for each of the different use cases - evm, ima,
> and modules. Using different keyrings improves search performance, and also
> allows "locking" specific keyring to prevent adding new keys.
> This is useful for evm and module keyrings, when keys are usually only
> added from initramfs.
>
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Thanks Dmitry! Other than the couple of trailing whitespaces, the
patches look good. I think adding the word 'public', above, to 'adding
new keys' clarifies that the keyrings are only used for the digital
signatures.
Acked-by: Mimi Zohar <zohar@us.ibm.com>
> ---
> security/integrity/Kconfig | 14 +++++++++++
> security/integrity/Makefile | 1 +
> security/integrity/digsig.c | 48 ++++++++++++++++++++++++++++++++++++++++
> security/integrity/integrity.h | 20 ++++++++++++++++
> 4 files changed, 83 insertions(+), 0 deletions(-)
> create mode 100644 security/integrity/digsig.c
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 4bf00ac..d87fa2a 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -3,5 +3,19 @@ config INTEGRITY
> def_bool y
> depends on IMA || EVM
>
> +config INTEGRITY_DIGSIG
> + boolean "Digital signature verification using multiple keyrings"
> + depends on INTEGRITY
> + default n
> + select DIGSIG
> + help
> + This option enables digital signature verification support
> + using multiple keyrings. It defines separate keyrings for each
> + of the different use cases - evm, ima, and modules.
> + Different keyrings improves search performance, but also allow
> + to "lock" certain keyring to prevent adding new keys.
> + This is useful for evm and module keyrings, when keys are
> + usually only added from initramfs.
> +
> source security/integrity/ima/Kconfig
> source security/integrity/evm/Kconfig
> diff --git a/security/integrity/Makefile b/security/integrity/Makefile
> index 0ae44ae..bece056 100644
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -3,6 +3,7 @@
> #
>
> obj-$(CONFIG_INTEGRITY) += integrity.o
> +obj-$(CONFIG_INTEGRITY_DIGSIG) += digsig.o
>
> integrity-y := iint.o
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> new file mode 100644
> index 0000000..b5d1e01
> --- /dev/null
> +++ b/security/integrity/digsig.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2011 Intel Corporation
> + *
> + * Author:
> + * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, version 2 of the License.
> + *
> + */
> +
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/err.h>
> +#include <linux/rbtree.h>
> +#include <linux/key-type.h>
> +#include <linux/digsig.h>
> +
> +#include "integrity.h"
> +
> +static struct key *keyring[INTEGRITY_KEYRING_MAX];
> +
> +static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
> + "_evm",
> + "_module",
> + "_ima",
> +};
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + if (id >= INTEGRITY_KEYRING_MAX)
> + return -EINVAL;
> +
> + if (!keyring[id]) {
> + keyring[id] =
> + request_key(&key_type_keyring, keyring_name[id], NULL);
> + if (IS_ERR(keyring[id])) {
> + pr_err("no %s keyring: %ld\n", keyring_name[id],
> + PTR_ERR(keyring[id]));
> + keyring[id] = NULL;
> + return PTR_ERR(keyring[id]);
> + }
> + }
> +
> + return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e898094..9fc723b 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -51,5 +51,25 @@ struct integrity_iint_cache {
> struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
> struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>
> +#define INTEGRITY_KEYRING_EVM 0
> +#define INTEGRITY_KEYRING_MODULE 1
> +#define INTEGRITY_KEYRING_IMA 2
> +#define INTEGRITY_KEYRING_MAX 3
> +
> +#ifdef CONFIG_INTEGRITY_DIGSIG
> +
> +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen);
> +
> +#else
> +
> +static inline int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> + const char *digest, int digestlen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +#endif /* CONFIG_INTEGRITY_DIGSIG */
> +
> /* set during initialization */
> extern int iint_initialized;
next prev parent reply other threads:[~2011-11-04 11:31 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-19 11:51 [PATCH v2.2 0/7] evm: digital signature verification extension Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 1/7] crypto: GnuPG based MPI lib - source files (part 1) Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-11-19 3:33 ` Stephen Rothwell
2011-11-19 3:33 ` Stephen Rothwell
2011-11-21 10:20 ` Kasatkin, Dmitry
2011-11-21 10:20 ` Kasatkin, Dmitry
2011-11-21 11:27 ` James Morris
2011-11-21 15:32 ` Kasatkin, Dmitry
2011-11-21 21:09 ` Stephen Rothwell
2011-10-19 11:51 ` [PATCH v2.2 2/7] crypto: GnuPG based MPI lib - header files (part 2) Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2012-03-11 9:55 ` Geert Uytterhoeven
2012-03-11 9:55 ` Geert Uytterhoeven
2012-03-11 9:55 ` Geert Uytterhoeven
2012-03-21 8:39 ` Geert Uytterhoeven
2012-03-21 8:39 ` Geert Uytterhoeven
2012-03-21 8:39 ` Geert Uytterhoeven
2012-03-22 8:21 ` Kasatkin, Dmitry
2012-03-22 8:21 ` Kasatkin, Dmitry
2012-03-22 8:21 ` Kasatkin, Dmitry
2011-10-19 11:51 ` [PATCH v2.2 3/7] crypto: GnuPG based MPI lib - make files (part 3) Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 4/7] crypto: GnuPG based MPI lib - additional sources (part 4) Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 5/7] crypto: digital signature verification support Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-10-19 11:51 ` [PATCH v2.2 6/7] integrity: digital signature verification using multiple keyrings Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
2011-11-04 11:29 ` Mimi Zohar [this message]
2011-11-04 11:29 ` Mimi Zohar
2011-10-19 11:51 ` [PATCH v2.2 7/7] evm: digital signature verification support Dmitry Kasatkin
2011-10-19 11:51 ` Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1320406187.2010.11.camel@falcor \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.